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[57] 



ABSTRACT 



A method and system for the remote control of devices 
having a secure self learn capability. The system includes an 
encoder and a decoder, the encoder encoding variable infor- 
mation including a user key using a non-linear algorithm to 
produce an encoded value transmitted to the decoder, the 
decoder decoding the value using the same algorithm. In a 
learning mode a new encoder is to be added to the system. 
The new encoder produces an encoded value using a key 
generation seed. The decoder, upon receiving the encoded 
key generation seed, produces a decoding key based upon 
the decoded key generation seed. The decoding key is stored 
in the decoder memory allowing valid recognition of the 
new encoder in a secure manner. 

3 Claims, 7 Drawing Sheets 
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SECURE SELF LEARNING SYSTEM received and decoded, a decoder responds only if a valid 

transmission was made. In some cases (refer to ZA Patent 

REFERENCE TO RELATED APPLICATIONS No. 91/4063) a special algorithm is used with a stored key 

The present application is a Continuation-in-part of appli- to dccodc A an encodc J d r <f c P tion * ^ decoded value is then 

cation U.S. Ser. No. 08/313,613, (which has now issued as 5 com P ared lo a slored value to determine if the transmission 

U.S. Pat. No. 5,686,904) filed on Sep. 30, 1994, the disclo- 15 lc S Uunatc or not - 

sure of which is hereby incorporated by reference, which is A disadvantage of code hopping and rolling code systems 

a Continuation-in-part of application U.S. Ser. No. 07/985, ^ the fact that it is difficult to replace or disable lost, stolen 

929, (which is now pending) filed on Dec. 4, 1992, the or unserviceable transmitters. External equipment must be 

disclosure of which is incorporated herein by reference, 10 uscd bv a manufacturer or dealer to reprogram and replace 

which is a Continuation-in-part of application Ser. No. a transmitter. An additional security problem may be created 

07/707,101, filed on May 29, 1991, now abandoned. durin S ^is process. 

Ideally, a security system should not require dealer inter- 

BACKGROUND OF THE INVENTION vention when a user needs to add a new transmitter to the 

1. Field of the Invention 15 svstem or re pl ace a transmitter. The user should be able to 
„ . : 4 , lf buy a generic replacement transmitter off the shelf and add 
Hie present invention relates to an improved secure self ^ transmiUer unassisted whcn convenient. Learning sys- 

learning system and method and, ,n particular to an tems ide ^ bilil m that the decoder M 

improved secure self learning system and method for ^ new transmitter>s idemi , witbou , havin tQ be 

remotely controlling systems and devices ,n security sys- 20 grlmmed from outside usinj / special equipm ent. 

. c iL n i j A learning system should however not only enable a user 

2. Discussion of the Background tQ add a ncw transmiltcr to the svstemj but sh ; uld also have 

The remote control of systems or devices via ultrasonic, a meatls of excluding a previous transmitter from the system, 

radio frequency or infra red transducers is popular for many due to the possibility of such a transmitter falling into the 

applications, including security systems for buildings and wrong hands 

vehicles, and remote controlled garage door and gate open- [n self leami fixed code me incQmi ^ [& 

ers. Certain umdirectiona^ transmission sys ems currenUy in s(ored fof ^ references b 7 the decoder wheQ % fa in a 

use have two very importan security shortcomings: (a) the leamm mode Subacqucnl transmissions are compared with 

codes hey transmit are usually fixed; and (b) the number of ^ leamed code Differem arra nts to leam £ ew trans . 

possible code combinations 1S relatively small. EUher of m ^ t codes afC ^ A switcfa ^ bc ^ {Q &et 

these shortcomings can lead to unauthorized access. decoder eithef m a nQrmal mode Qr {n a leafning 

Hie limited number of possible combinations available in modc qj s p al Nos 4/750,118 and 4,912,463). In the 

most remote control systems makes it possible to transmit all learning mode, the decoder can learn new valid codes from 

possible combinations in a relatively short time. A hand held 35 a transmitter. Similar means are used (refer to U.S. Pat. Nos. 

microprocessor-based system for this purpose (called a code 4,931,789 and 5,049,867) to program the decoders to react 

scanner) can easily be constructed. t0 a new transmitter code. In another patent (refer to U.S. 

In systems using eight DIP switches (256 combinations), p a t. No. 5,148,159), a randomly selected fixed code is 
this scanning process can typically be accomplished in less generated by the decoder and programmed into the associ- 
than 32 seconds, when trying eight combinations per second. 4Q a ted transmitter. U.S. Pat. No. 4,855,713 describes the use of 
Even in systems using 16 bit keys, yielding 65,536 a hand held programmer to program the new fixed code to 
combinations, only 2 V* hours would be required to try all be recognized by the decoder. In all of these patents, the 
possible combinations. It should also be noted that the transmitted or programmed codes are fixed stored codes, 
scanner may gain access in far less time than this maximum Security threats by means of code grabbing or code genera- 
time and the average time would, in fact, be half of the total 45 tion still exist irrespective of the learning mechanisms 
time. employed. In addition, for these systems to learn, the user 

An easier way of gaining unauthorized access to a secu- has to either (1) use a cumbersome, more expensive, two 

rity system is freely available. A unit of this type is adver- switch system; and/or (2) the user has to set the receiver/ 

tised as a tool for the "legal repossession of vehicles/' A decoder in learning mode via (a) a switch inconveniently 

remote control transmitter of the type normally used in 50 physically located on the receiver/decoder which can be 

vehicle security and remote control systems includes a small very difficult (if not impossible for elderly or handicapped 

radio transmitter that transmits a code number on a specific persons) to activate once the system, e.g., a receiver of a 

frequency. This code number is normally generated by an garage door opening system, is installed, e.g. on the ceiling 

integrated circuit encoder. This transmission frequency is of a user's garage (See FIG. 1 of U.S. Pat. No. 4,750,118), 

usually fixed by legislation within a particular country. Thus, 55 (b) a code sent by the transmitter — activation and use of 

it is possible to build a receiver that can receive signals from such can be complicated and not secure if the transmitter is 

all such transmitters and to use this together with a circuit lost or worse stolen, or (c) a code sent by a separate 

which records the transmissions captured by the receiver. programming means which can be complicated to use and 

Such a device is known as a code or key grabber and can be likewise not secure if the programming means is lost or 

used to gain access to protected premises or to vehicles with ^ worse stolen. 

remote control security systems. Reference should also be made to the specifications of the 

Code hopping and rolling code systems are currently following U.S. Pat, Nos.: RE 29,525; 4380,762; 4,385,296; 

available to overcome the limitations of fixed code systems 4,426,637; 4,529,980; 4,534,333; 4,574,247; 4,590,470; 

(refer to ZA Patent No. 91/4063 and U.S. Pat. No. 5,103, 4,596,985; 4,638,433; 4,652,860; 4,686,529; 4,737,770; 

-.221). The specifications of these patents describe transmit- 65 4,779,090, 4,835,407; 4,847,614; 4,855,713; 4,878,052; 

ters which use algorithms to generate a different transmis- 4,890,108; 4,928,098; 4,951,029; 4,988,992; 5,049,856; and 

sion each time the transmitter is activated. When a code is 5,055,701. 
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SUMMARY OF THE INVENTION 

In contrast to the above-described fixed-code systems, the 
invention of the present application provides a secure self- 
learning code hopping or rolling code system whereby 
security threats by code grabbing or code generation devices 5 
are removed. 

According to one preferred embodiment, the invention of 
the present application provides an improved rolling code or 
code hopping system comprising an encoder and a decoder, 
wherein the improvement comprises: a decoder learning 10 
mode activation means whereby upon activation of said 
means the decoder is set in learning mode, said means being 
physically remote or detached from the encoder, and the 
decoder, and preferably from any other programming 
means. 15 

According to a further embodiment, the invention of the 
present application provides an improved code hopping or 
rolling code system comprising a transmitter and a receiver, 
wherein said improvement comprises; a receiver learning 
mode switch whereby upon activation of said switch the 2 o 
receiver is set in the learning mode, said switch being 
physically detached or remote from the receiver, the 
transmitter, and preferably any other programming means. 

The invention provides, in the first instance, a method of 
operating an encoder which includes the steps of: 25 

storing a serial number; 

storing at least one of the following: 
a seed; and 

a key which is generated using a manufacturer's 
master key and at least one of the following: 30 

the seed; and 

the serial number; and 
transferring key generation information selected at 

least from: 

the seed; 35 
the serial number; and 
information derived from applying the key 
and an algorithm to an input value. 
The input value may include information selected at least 
from: 40 
a management code; 
a counter value; and 
information relating to a command. 
In one embodiment the method includes the steps of: 
storing a plurality of parameter sets, each parameter set 45 
including information selected at least from: 
a respective serial number; 
a respective seed; 
a respective key; and 

respective information derived from applying the said 
respective key and the algorithm to a respective input 
value; 

selecting a parameter set; and 

transferring the respective key generation information 
for the selected parameter set. 
Each input value may include information selected at least 
from: 

a respective management code; 

a respective counter value; and 6Q 
information relating to a command. 
The invention also extends to a method of operating a 
decoder which includes the steps of: 
storing a manufacturer's master key; 
setting the decoder in learning mode by activating a 65 

decoder learning mode activation means physically 

remote or detached from the decoder; 



50 



55 



receiving a signal which contains key generation infor- 
mation selected at least from: 
a seed; 

a serial number; and 

encoded information derived from applying a first key 

and an algorithm to an input value; and 
generating a second key using at least the key genera- 
tion information and the manufacturer's master key. 
The method may include the steps of storing at least one 
of: 

the second key; 

the key generation information; and 
the serial number. 

In one embodiment the received signal includes the 
encoded information and the method includes the steps of: 

decoding the encoded information using a decoding algo- 
rithm and a previously generated second key to obtain 
a decoded input value which includes information 
selected at least from: 
a management code; 
a counter value; and 

information relating to a command; and storing the 
decoded input value. 
The method may include the steps of: 
storing a plurality of parameter sets, each parameter set 
including information selected at least from: 
a respective serial number; 
a respective management code; and 
a respective counter value. 
The invention further extends to a method of operating an 
access control system which includes an encoder and a 
decoder, the method including the steps of: 
storing a serial number; 
storing at least one of the following: 
a seed; and 

a first key which is generated using a manufacturer's 
master key and at least one of the following: 
the seed; and 
the serial number; and 

using the encoder to transfer a signal which includes 
key generation information selected at least from: 
the seed; 

the serial number; and 

information derived from applying the first key 
and an algorithm to an input value; and 

storing a manufacturer's master key in the 
decoder; 

activating a decoder learning mode activation 
means for setting the decoder in learning 
mode, said means being remote from the 
encoder and the decoder; 

receiving the transferred signal by the decoder; 
and 

generating a second key by the decoder using at 
least the key generation information and the 
manufacturer's master key. 
The second key or the key generation information may be 
stored. In the former case, the method includes the steps of: 
activating the encoder with a command; 
encoding at least an input value using the first key and an 
algorithm to form an encoded part, the input value 
including information selected at least from: 
a counter value; 
a management code; and 
information relating to the command; 
using the encoder to transfer a signal which is formed 
from at least the serial number and the encoded part; 
and, at the decoder, 
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10 



15 



receiving the transferred signal; and 
using the second key and a decoding algorithm to 
decode the said encoded part in the transferred signal 
to obtain the said input value. 
In the latter case the method includes the steps of: 5 
activating the encoder with a command; 
encoding at least an input value using the first key and an 
algorithm to form an encoded part, the input value 
including formation selected at least from: 
a counter value; 
a management code; and 
information relating to the command; 
using the encoder to transfer a signal which is formed 
from at least the serial number and the encoded part; 
and, at the decoder, 
receiving the transferred signal; and 
using the key generation information and a decoding 
algorithm to decode the said encoded part in the 
transferred signal to obtain the said input value. 
The method may further include the steps of: 
at the encoder, storing a plurality of parameter sets, each 20 
parameter set including information selected at least 
from: 

a respective serial number; 
a respective seed; and 

respective information derived from applying the said 25 
respective key and the algorithm to a respective input 
value; 

selecting a parameter set; 
activating the encoder using a command; 
transferring a signal which contains the key generation 30 
information associated with a selected parameter set; 
and, at the decoder, 
storing a plurality of parameter sets, each parameter set 
including information selected at least from: 
a respective serial number; 35 
a respective management code; and 
a respective counter value; 
receiving the said transferred signal, and 
generating a respective second key, associated with 
a selected parameter set, using the manufacturer's 40 
master key and the key generation information 
contained in the said transferred signal. 
Preferably the encoder and the decoder are each formed in 
a respective microchip. 

The invention also provides an encoder which includes: 45 
means for storing a serial number; 
means for storing at least one of the following: seed; and 
a key which is generated using a manufacturer's master 
key and at least one of the following: 
the seed; 

the serial number; and 

means for transferring key generation information 
selected at least from: 
the seed; 

the serial number; and 
information derived from applying the key and an 
algorithm to an input value. 
The encoder may include means for storing a plurality of 
parameter sets, each parameter set including information 6Q 
selected at least from: 

a respective serial number; 
a respective seed; 
a respective key; and 

respective information derived from applying the said 65 
respective key and the algorithm to a respective input 
value; 



50 



55 



and means for selecting a parameter set; 

the said transferring means being adapted to transfer the 

respective key generation information for the selected 

parameter set. 

The invention also extends to a decoder which includes: 
means for storing a manufacturer's master key; 
means for receiving a signal which contains key genera- 
tion information selected at least from: 
a seed; 

a serial number; and 

encoded information derived from applying a first key 
and an algorithm to an input value; and 

means for generating a second key using at least the key 
generation information and the manufacturer's mas- 
ter key. 

Means may be provided for storing at least one of: 
the second key; 

the key generation information; and 
the serial number. 

The invention further provides an access control system 
which includes an encoder a learning mode activation 
means, and a decoder, the encoder including: 
means for storing a serial number; 
means for storing at least one of the following: 

a seed; and 

a first key which is generated using a manufacturer's 
master key and at least one of the following: 
the seed; and 
the serial number; and 

means for transferring a signal which includes key 
generation information selected at least from: 
the seed; 

the serial number; and 

information derived from applying the first key and 

an algorithm to an input value; 
a decoder learning mode activation means physically 
remote from the encoder and the decoder for 
setting the decoder in learning mode; and 
the decoder including: 

means for storing a manufacturer's master key; 
means for receiving the transferred signal; and 
means for generating a second key using at least 
the key generation information and the manu- 
facturer's master key. 
The system may include means for storing the second key 
or the key generation information. 

In the former case the system may include: 
means for activating the encoder with a command; 
means for encoding at least an input value using the first 
key and an algorithm to form an encoded part, the input 
value including information selected at least from: 
a counter value; 
a management code; and 
information relating to the command; 
means for forming a signal, for transfer by the encoder, 
from at least the serial number and the encoded part; 
the decoder including means for using the second key 
and a decoding algorithm to decode the said encoded 
part in the transferred signal, received by the said 
signal receiving means, to obtain the said input 
value. 

In the latter case the system may include: 
means for activating the encoder with a command; 
means for encoding at least an input value using the first 
key and an algorithm to form an encoded part, the input 
value including information selected at least from: 
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a counter value; 

a management code; and 

information relating to the command; 

means for forming a signal, for transfer by the encoder, 

from at least the serial number and the encoded part; s 
the decoder including means for using the key genera- 
tion information and a decoding algorithm to decode 
the said encoded part in the transferred signal, 
received by the said signal receiving means, to 
obtain the said input value. 
The system may include means for storing a plurality of 
parameter sets at the encoder, each parameter set including 
information selected at least from: 
a respective serial number; 
a respective seed, and 

respective information derived from applying the said 
respective key and the algorithm to a respective input 
value; 

means for selecting a parameter set; 

means for activating the encoder using a command; 2 o 

the signal transferring means then transferring a signal 

which contains the key generation information associ- 
ated with a selected parameter set; 
means for storing a plurality of parameter sets at the 

decoder, each parameter set including information 25 

selected at least from: 

a respective serial number; 

a respective management code; and 

a respective counter value; and 

means for generating a respective second key, received 30 
by the said signal receiving means, associates with a 
selected parameter set, using the manufacturer's 
master key and the key generation information con- 
tained in the said transferred signal. 
Preferably the encoder and the decoder are each formed in 35 
a respective microchip. 

It is an object of the present invention to provide an access 
control system wherein a transmitter or token, such as a 
so-called "smart card " may be replaced or added to the 
system by a user without external equipment and without 40 
transferring an encoding key in clear format, i.e., in unen- 
coded form. 

The access control system may allow for the disabling, in 
a decoder, of stolen transmitter codes to prevent unautho- 
rized access to the system. 45 

Another object of the invention is to provide an access 
control system which acts against the use of code grabbing 
or scanning methods. 

The invention is further concerned with an encoder and a 
decoder for use in an access control system, and with their 50 
method of operation. 

During the manufacturing process, encoders are pro- 
grammed with different serial numbers associated with a 
range of decoders. A unique manufacturer's master key is 
used together with an algorithm and the serial number, to 55 
generate and store a user key in a non-volatile memory of the 
encoder, together with counter, management code and other 
information. Several sets of these parameters can be stored 
to handle several transmissions (transmit different com- 
mands by activating different inputs). The manufacturer's 60 
master key is also stored in all the manufacturer's decoders. 
User data and control data is also programmed to control the 
different functions that need to be activated by the encoder. 
The same algorithm used to generate the user key in the 
encoder must also be present in the decoder. 65 

In normal operation of an encoder, the key information 
associated with a parameter set is used to encode the variable 
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counter information, together with the encoder management 
code, serial number and other information by making use of 
a special algorithm. The information that is encoded will be 
different each time the encoder is activated. This technique 
is referred to as code hopping. Although it is known that the 
counter information changes, the transmission is not pre- 
dictable because of the secret key and algorithm that encode 
the information. In an access control system, a fixed part 
denoting the serial number may be generated with the code 
hopping part and together form a transmission value that is 
transmitted by a data transfer interface. 

In one embodiment of the invention, an encoder learning 
capability is implemented. This allows a user to replace an 
encoder or add an encoder to be recognized by a decoder 
which has a learning mode function, selectable by the user. 
The learning mode function can be selected by activating it 
on the decoder. This can, be accomplished by using a normal 
encoder and programming the output function to set the 
decoder in learning mode. This is also known as a master 
encoder or token. The use of such a master encoder allows 
for a higher level of security to be achieved. The master 
token may also be used in conjunction with input switches. 

In a different embodiment of the invention, it is possible 
for an encoder to encode an external input value. This input 
value replaces the value to be encoded internally by the 
encoder. A bidirectional communication arrangement is used 
in this case. This procedure can be used to identify the 
originality of the encoder, known as identification friend or 
foe (IFF), for access control and authentication purposes. 
The encoder accepts a challenge value as an input from a 
terminal that forms part of an access control system. This 
input value is encoded by the encoder using the encoding 
function and key to form an encoded value. The encoded 
value is then transferred to the decoder that is part of an 
access control terminal. If a legitimate encoder is used, the 
encoded value will correspond with a decoded value calcu- 
lated by the decoder and the decoder will enable an external 
function to operate. If it is not a legitimate encoder, the 
decoded value will not correspond with the value generated 
by the decoder, preventing the required response by the 
decoder. 

The encoder can be used in a token or a transmitter type 
device in an access control system. A transmitter would 
generally, on activation, transfer information from the 
encoder output to a receiver system via a transfer medium 
such as radio (rf), infra red (ir) or microwave. A token can 
also designate a transmitter device, but more generally 
includes a device in which information transfer is done by 
means of electrical contacts and conductors. In these physi- 
cal contact tokens (or smart cards), information can be 
transferred bi-directionally through read and write opera- 
tions. In both cases the invention is directed to the transfer 
of information regarding the encoding or decoding key 
without possibly exposing the encoding or decoding key to 
the outside world. 

Once the learning mode of the decoder is selected, the 
data from the new encoder is captured and the serial number 
is first used. By making use of the manufacturer's master 
key and the captured encoder serial number, a new decoder 
key is derived with the key generation algorithm that must 
form part of the decoder. The newly derived key is used to 
decode the variable (encoded) part of the previously cap- 
tured transmission. Once decoded, it is checked to verify 
that the correct key was generated and used. 

In a different embodiment, a further transmission can be 
required to be decoded. This double transmission system can 
then also check the decoded counter information to ensure 
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that the generated key is valid. The encoder serial number is 
stored in nonvolatile memory, and associated with it, the 
derived decoder key, management code, counter and other 
user information, the learning is thus verified before it is 
accepted as valid, after which the encoder can be used to 5 
activate the decoder in normal operation. 

In normal operation, the encoder, when activated through 
electrical inputs, for example by depressing a push button 
switch, or switches, or by any other suitable command 
means, encodes the counter, button and management code 
information with an algorithm and a key. The management 10 
code information usually consists of information selected 
from the following group: the encoder status, command, 
identity, technology type, time, mode, integrity and user 
data. It may also include time information. This time infor- 
mation may be used to transfer the time that the encoding 15 
event took place or to indicate valid periods or expiry dates 
to the decoder system. The user key is associated with the 
serial number that forms part of the information that is stored 
in non-volatile memory. The unencoded serial number and 
the encoded information are transferred by external data 20 
transferring means. The data transfer can be a transmission 
by an encoder, or the encoder can be activated electrically in 
a specific application to transfer the data. 

The decoder, on receipt of the transmission, detects the 
unencoded serial number and encoded part. It compares the 25 
serial number with the serial numbers of the learned encod- 
ers stored in its memory. If no comparison is found, the 
transmission is rejected. If a matching value is found, the 
decoder key stored in memory associated with the matching 
serial number is used to decode the encoded information 30 
with a decoding algorithm. The integrity of the transmission 
is checked to verify that the signal was received and decoded 
correctly. If this is valid, the counter is checked. If valid, the 
decoder counter information is updated and the output 
function control is activated. If the counter is not valid, the 35 
transmission is rejected. 

The advantages of the security system are that the trans- 
missions always differ without intervention from the user 
and that the learning process is conducted in a secure 
fashion. The learning decoder must be accessible and avail- 40 
able and information regarding the manufacturer's master 
key must be available in the decoder. 

In a different embodiment, an even more secure learning 
process is implemented. Using an algorithm and a manu- 
facturer's master key together with a unique key generation 45 
seed chosen for each encoder, an encoder key is generated. 
The key generation seed and user key are programmed into 
every encoder along with the encoder serial number and 
management code information. The key generation algo- 
rithm and manufacturer's master key need not preside in any so 
encoder. No mathematical link need or should exist between 
encoder serial numbers and key generation seeds. When 
learning a decoder with a new encoder, the encoder is put 
into learning mode and the key generation seed and serial 
number are transferred to the decoder. The decoder gener- 55 
ates a key for this encoder, using the manufacturer's master 
key, key generation seed and key generation algorithm. As 
the key generation seed is only transmitted during the 
learning process, unauthorized access, under normal 
operation, is not possible. 60 

A verification process is initialized to verify that the 
correct key has been generated and that other encoder 
information has been stored. On completion, the encoder is 
now a valid encoder. This verification process also ensures 
that transmitted with rogue encoders or transmitters from 65 
other manufacturers that do not have the correct manufac- 
turer's master key cannot be learned. 
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The use of a key generator seed protects the security of the 
system in the event of unauthorized scanning for the serial 
number of an encoder. With the known serial number, it is 
very unlikely, but possible, that an encoder can be forged if 
access is gained to the manufacturer's equipment and the 
manufacturer's master key. If a key generator seed is used, 
however, the key that is stored in the decoder cannot be 
generated without having access to the owner's transmitter 
or token as well. 

After the learning operation has been successfully 
executed and the decoder has returned to the normal oper- 
ating mode, the encoder can be used to activate the decoder 
in the normal way. This means the serial number will again 
be compared against learned systems. Special baud rate 
compensation circuitry can be used during the reception 
process to allow reliable code reception. The stored key 
associated with the encoder serial number is used to decode 
the transmission. The integrity of the received and decoded 
transmission is checked for validity by comparing the man- 
agement code information received and decoded from the 
encoder with the stored information. A similar process is 
carried out on the associated counter information. If 
successful, the counter information is updated and the pre- 
determined output signal is selected, resulting in the correct 
external function being activated. 

To prevent an intruder from grabbing key information and 
compromising a security system, the key information should 
never be transmitted. Code hopping makes it impossible for 
an intruder to gain unauthorized access to the decoder or the 
learning capability of the decoder by using code grabbing or 
generation, or by initializing an unauthorized code hopping 
encoder. 

The described system makes use of stored keys in the 
decoder to decode incoming transmissions. An alternative 
arrangement for a learning system is to store only the key 
generation seed, instead of the full key, in the decoder's key 
location. During decoding operations, the correct key is 
generated from a selection of the associated seed, serial 
number and manufacturer's master key. The advantage is 
that less nonvolatile storage space is required, as the key 
generation seed may require less storage space than the key. 
The correct key is generated in RAM whenever needed. 
Since several encoders can be learned to a single decoder 
and the RAM can be used over and over, this implementa- 
tion can be economical. 

This invention can be used in different configurations to 
enable a manufacturer to utilize its principles, for example, 
in a vehicle security system, door or gate remote control 
security system or in a system to control personnel access to 
a security area. Different kinds of transmission media can 
also be used, for instance radio, infra red or a physical wire 
connection. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The invention is further described by way of example 

with reference to the accompanying drawings in which: 
FIG. 1 is a simplified representation in block diagram 

form of an encoder and data transfer interface, and a decoder 

and data transfer interface in an access control system 

according to the invention; 

FIG. 2 is a block diagram, in greater detail, of the encoder 

of FIG. 1; 

FIG. 3 is a block diagram, in greater detail of the decoder 
of FIG. 1; 

FIGS. 4a and 4b are flow charts of the operation of a 
learning algorithm embodied in the system of the invention; 
and 
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FIGS. 5 A and 5B are diagrams of the storage format of whole from the decoder commands that are received from 

sets of parameters used in the encoder and the decoder of the the format detector and mode select input signals. Control 

invention. signals can consist of decoder mode changes, selection of 

key generation, storage of information, such as keys and 

DESCRIPTION OF THE PREFERRED s serial numbers, integrity checking, synchronization and 

EMBODIMENT counter value storage, and output signals. 
The invention is described hereinafter firstly in a general jrhc~CMtroUcT49 may K^^irTeiu^erof "two-modes, 

sense, with reference to FIG. 1, in order to illustrate the namely a encoding 

principles of the invention and thereafter, with reference to ^n^^ Eaebmodeliiiy be*selected, as has Geen indicated; by 

FIGS. 2 to 5B, in a more detailed manner which is related 10 arTappropriate choice of the buttons 48, or in any other 

to a practical embodiment of the invention. suitable way specific to the application arrangement of the 

encoder. Once a command has been entered by the>button 

Simplified Description encoding part 14, control signals are issued by the control 

CT/ ^r^ '■ — V^TT^ ~~Z 7~ ~) Pi rt 49 * In toe normal operating mode, control signals are 

FIG. 1 is a simplified block diagram of a transmitter/ 15 /issued t0 operate ^ counter/storage and error correction 

composing an encoder 10 and a data transfer interface/11, , part u management mdt sl 17> 

and a receiver comprising a decoder 12 and a data transfer f9 key s^rage^22,,serial.numbe r storage 24 and PWM code' 

mterface 13 used in a code hopping remote control system. fagg^ to*£l^ output of 

Sophisticated functions and multiple encoder/decoder com- ach ific t ^ ensures that the /. 

bmationsJu^been_omn^^ 20 tion - dcscribed morc spccifically bclow . 

pjeinvenuon ^Rh^n^Tis^^^ mode, the control part 

tatioj^le^rmng in a code hopping system. Uarning has 49 ^ signalfi tQ the seed e 20 

been implemented in standard fixed code systems, but code number &{ 24 and pwM code gcncrator 26 to select and 

hopping systems present a unique chalknge. Information activate the appropriate out ut of each ific n ^ 

.encoded by the encpder cannot be decoded unless one has 25 ensures ^ , h( . ^ J m0K 

access to a user key and the encoded roformahonycan specifically below 

'consequently not be used to transmit, the .key to the decoder. , t~~7\ . . ;r>-; - : — : — ■. 

/"The invention is directed to overcoming this .problem. r -Th^ntg 3 Uej 1 31,of'me'decoder may function in either of 

„ _,— , , - =-t~ir~''~ == ^'7~" , 7; . f*Q mooes, namely a leamiatfwTCc add a dcshnal operating 

^encoder includes a button encoder 14, a counter/ en coding^de. ThTm^db.may.be.selected-by-appropriate 

storage and error correction 16, management code storage ^° Waml^exteW circuitry. ,^ emal drcuitry %; n Vacti- 

17, a non-lmear encoder 18. having an encoding ; algorithm, vatcd b thc normal detecti and decodin ^ as 

storage 20 for a key generation seed, storage 22 for a us^r described bel to tQe decoder ^ a mode 

key storage 24 for a .serial number associated with toe Extcmal circuit such as a h ^ uo * other 

encoder, and a pulse^width-modulated-code-generator 26. c n »*„u;„ n ™„„„ u~ a « n c i_t 

» ^ — s / 35 switching means, can be used as well. Preferably, according 

-The decoder 12 consists of a controller 31, a format to one embodiment, it has been found that it is more 

detector 32, a decpd|r^ decoding algorithm,.^ convenient and less expensive to include a decoder learning 

mtegrity^checIanfpa^S, a counter value (synchronization) mo de activation means which is physically remote or 

checkin^un^ 38, detached from the encoder and the decoder._For_example, 

counter/ stgrage JOJor a manufacturer's master key, a key 4Q according to ^>ne embodim ent, whlreinthe encoder/decoder/ 

generating unit 42, storage 43 for a management code,, system'oHhe present invention is utilised in a garage door 

storage 44 for a decoder key, and storage^ngLejTpxcorrec- 7 opening system; the decoder/receiver learning mode activa'- 

*S " fo r counter in formation^ Uon means is preferamy/Meaa of pl$£ally located onjhe, 

^The button encoder 14 is responsive to a plurality of receiver (or-the transmitter/encoder), located on the wall of 

buttons 48 which are manually actuable. When a button is 45 the garage in electrical communication with the receiver/ 

actuated the encoder 10, as a whole, is activated. The decoder Preferably, the learning mode activation means is 

encoder may function in any one of a plurality of modes, as parTof the wall console switch which is also utilized Jo_ open 

will become apparent from the following description, with and'closBU^gaT^ the transmitter/ 

the encoder operating mode being determined by the button encoder to do the same. Preferably, the wall console switch 

or combination of buttons which are actuated. The encoder 50 isconfigured such that upon activation of the switch, e.g. by 

functions are controlled by a controller 49. depressing a button for an extended period of lime (e.g. 5 

The controller part 49 of the encoder controls the encoder seconds)-sets the receiver/decoder intoJ : ^learmng- mode. 

operation. The control part 49 is connected to each part of Preferablyrwhen:'me T 'wall T console switcrTor button LTonly 

the encoder and senses the operational slate of each part and activated or depressed for a short period of time, the garage 

provides operational control signals to each part to control 5S d 9 0r opens and closes ^re speedy cl y. J 
the operation and functioning of the encoder as a whole. L In normal'biperation mode, once the decoder has detected 

Encoder commands are received from the external buttons a received J signal using the format detector 32, the controller 

and used to initiate operational control signals to the rest of 31 decides on the control signals to operate the decoder. 

the encoder. Control signals can consist of encoder mode Control signals are issued to the key generation algorithm/ 

changes, selection of transmission information and activa- 60 control 42, key storage 44, decoder 34, management storage 

tion of all the different parts as necessary. 43,-;integrity cheeking 35, counter/storage and error correc- 

The controller 31 of the decoder controls the decoder in ^P n 4 <>, counter value checking 36 and output management 

a similar fashion as the encoder control part 49 controls the 38 to select and activate the appropriate-output/of each 

encoder. The control part 31 is connected to each decoder specific part. This ensures that me, encoder will function as 

part. It senses the operational state of each part of the 65 described,more-specifically below, 
decoder and provides operational control signals to each part If the decoder is used in learning mode, the controller 31 

to control the operation and functioning of the decoder as a issues commands to the key generation algorithm/control 
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42, key storage 44, decoder 34, management storage 43, 
integrity checking 35, counter/storage and error correction 
46, output management 38 and learning control 100. This 
ensures that the decoder will store the appropriate informa- 
tion and function as described more specifically below. 5 

In the normal operating mode the counter/storage and 
error correction 16 is activated each time the encoder 10 is 
used. Its count is therefore indicative of the number of times 
the encoder is used. The counter value is stored in non- 
volatile memory. The memory only operates when power is 1Q 
supplied to the encoder. If the counter value is changed and 
the power disconnected at the, same time, it can cause 
spurious values to be stored. For this reason, an error 
correction function is included in the counter/storage and 
error correction 16. The counter information is encoded in 
the nonlinear encoder 18 using the user key in the storage 22. 
The output of the encoder 18 thus comprises variable 
information which is combined in the generator 26 with the 
serial number from the storage 24. The serial number, as has 
been noted, is associated with the encoder. The output of the 2Q 
generator 26 is applied to the data transfer interface 11 and 
transmitted to the data transfer interface 13 and decoder 12. 
The serial number can also form part of a unit number 
uniquely to identify an encoder unit. 

It is to be noted that the encoder and the decoder may be 25 
directly connected, for example by means of a wire, or the 
encoder and decoder may be remote from one another and 
the transmission of information may be done by radio signal, 
optically, at an infra-red frequency or in any other suitable 

wav - 30 

The signal which is received by the decoder 12 using the 
data transfer interface 13 is converted to a logic signal 
which, in turn, is converted by the format detector 32, to a 
number which is applied to the decoder 34. The detector may 
be a pulse width modulation code detector. The decoding 35 
algorithm of decoder 34 decodes the variable portion of the 
number yielding counter and management code information, 
the integrity of which is checked by the part 35 using 
management code information in the storage 45, to verify 
the validity of the decoding operation. If it is valid, the unit 40 
36 compares the decoded counter information with counter 
information held in the storage 46 to determine that the 
decoded number is valid and has not been used before. If the 
reception is valid then the relevant outputs are activated by 
the output management function 38. 45 

In order to implement learning, the user places the 
decoder 12 in a learning mode. Preferably, according to one 
embodiment, this is accomplished by activating the learning 
mode activation means which is physically detached or 
remote from the decoder. The encoder 10 is also effectively 50 
placed in a learning mode by activation of the appropriate 
buttons 48. In this case, the key generation seed held in the 
storage 20 is applied together with the serial number in the 
storage 24 to the generator 26. It is to be noted that the key 
generation seed is only used during the learning operation. 55 
The whole operation of the decoder is controlled by the 
controller 31. 

The data transfer interface 11 thus transmits information 
on the key generation seed and the serial number to the 
decoder 12. The data transfer interface 13 receives this 60 
information which is then detected by the detector 32 and 
passed to the key generation unit 42. This unit calculates a 
decoder key based on the incoming key generation seed and 
the manufacturer's master key which is held in the storage 
40, The newly generated decoder key is stored in the 65 
location 44 and can be used for any future decoding 
operations, acting on the decoding algorithm of decoder 34. 
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The key generation algorithm that is used in key genera- 
tion unit 42 during the secure learning operation is usually 
a non-linear algorithm. This algorithm accepts as input the 
manufacturer's master key 40 (not known) and key genera- 
tion information. The key generation information can con- 
sist of the encoder serial number 24 or the seed 20 or both. 
This information is transferred from the encoder in a learn- 
ing operation to the decoder. 

The decoder 12 uses the key generation algorithm to 
generate a key 44 that is used to decode a normal code 
hopping transmission. The security of this mechanism per- 
tains to the fact that the relationship between the transmitted 
seed and the decoding key is not known, rendering any kind 
of interception of the transmission useless. The nonlinear 
key generation function also makes it impossible to establish 
any relationship between the key and the key generation 
information, making it impossible for a possible imposter to 
copy an illegitimate encoder. The key 22, serial number 24 
and randomly generated seed 20 of an encoder 10 are loaded 
during the manufacturing process. The manufacturer gener- 
ates the key using the seed, serial number, manufacturers 
master key and key generation algorithm. The key genera- 
tion algorithm is not made know publicly. Because the seed 
is a random number, the possibility of manufacturing two 
encoders with the same keys are very slim. Considering the 
fact that the serial number is also used in this process, it is 
highly improbable, 

The verification of the learning process is effected as 
follows. The user presses the appropriate button 48 for 
normal operation of the encoder 10, thereby causing the 
transmission of the variable code which is produced by the 
non-linear encoder 18, and of the serial number held in the 
storage 24. The newly generated decoder key in the storage 
44 is used to decode the incoming code in the decoding 
algorithm of decoder 34. The management code information 
which is thereby produced, is used to verify the validity of 
the decoding operation by comparing it to the management 
code in the storage 43. The incoming counter information is 
stored in the relevant storage location 46. An error correction 
function is included in unit 46 to ensure that if spurious data 
is stored during a power failure, the correct data can be 
recovered as soon as power is restored to the decoder. 

The user then activates the encoder 10 again. Once more 
the resulting variable code and the serial number are 
received by the data transfer interface 13. The variable code 
is decoded by the decoding algorithm of decoder 34, using 
the newly generated decoder key. The counter information 
which results from this transmission is checked against the 
counter information held in the storage location 46. If the 
comparison indicates that the two variable code transmis- 
sions were successive then it is assumed that the learning 
process has been valid and the decoder is taken out of the 
learning mode. The system may now be used for normal 
operation. 

A special relationship exists between the key generation 
seed in the storage 20 and the user key held in the storage 
22. This relationship is dependent on the manufacturer's 
master key held in the storage 40. The manufacturer's 
master key is however not programmed into the encoder but, 
instead, is used in a production line programming unit which 
programs corresponding key generation seeds and user keys 
into respective encoders. The manufacturer's master key is, 
on the other hand, programmed into each decoder and is 
used during learning, in the manner described, to calculate 
the correct decoder key, which is then held in the storage 
location 44, from the received key generation seed. 

In a variation of the learning process the serial number 
which is held in the storage 24 is used by the key generation 
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unit 42 to generate the decoder key. In this case there is no different information. This means that with an amount of 

need for the encoder to have the capability of transferring the only b buttons, 2 to the power of b different functions can be 

key generation seed. Further, a special relationship exists distinguished and selected. The button encoding 15 can also 

between the serial number and the user key, rather than be used to set the encoder in learning mode by programming 

between the key generation seed and the user key. 5 the encoding function to output a predetermined value. This 

The serial number is present in each transmission. Thus va *ue can be presented if any one or combination of buttons 

the encoder from which a transmission originates can be are pressed. 

identified even though an outsider cannot gain access to the A section of non-volatile memory 54 is used to store a 

information contained in the transmission. The serial num- plurality of parameter sets 56 A . . . 56N. Each parameter set 

ber can be used to identify several encoders in a single 10 consists of a fixed key generation seed 60 which corresponds 

system making it possible to accommodate several distinct to the seed held in the storage 20 of FIG. 1, a serial number 

encoders in a single decoder system, 62 which corresponds to the serial number held in the 

storage 24 of FIG. 1, an encoding or user 20 key 64 which 

Functional Description corresponds to the user key held in the storage location 22, 

The following description, based on FIGS. 2 and 5 of the 15 counter and error correction information 66 which includes 

accompanying drawings, is made with reference to a prac- me counter information held in the counter/storage and error 

tical form of the control system of the invention which correction 16, and a management code 68 corresponding to 

embodies the general principles which have been described tnat ne ^ i° tne storage 17. 

in connection with FIG. 1. Where applicable similar refer- As has been noted provision is made for the storage of 

ence numerals to those employed in FIG. 1 are used in FIGS. 20 several parameter sets 56. Each parameter set is associated 

2 to 5 to indicate like components. with what is termed herein a "virtual encoder" for the 

FIG. 2 depicts an implementation of a code hopping encoder can act as any one of different virtual encoders, 

remote control transmitter comprising an encoder 10, but- depending on which buttons 48 are pressed, 

tons 48, a controller 49, a power supply 50 and a data 25 The counter/storage and error correction 16 is updated 

transfer interface 11, which may all be housed in a protective each time the encoder is actuated. When several parameter 

housing, which is fitted with a key ring to enable the user to sets are used, however, only the counter information in a 

transport the transmitter conveniently. The buttons 48 may particular parameter set is updated each time the correspond- 

be push button switches, for activation by remote control of ing virtual encoder is used. 

the various functions of the security system, and possibly for 3Q A specific encoder can either use a single stored parameter 

the supply of power, from the power supply 50, which may se 56 along with various function requests, or different 

be a battery, to the entire transmitter. parameter sets with similar or different function requests. 

All the elements shown in the block diagram, apart form Typically, different parameter sets will be used if several 

the power supply 50, the button switches 48 and the data different decoders are to be accessed. Several functions 15 

transfer interface 11 can be implemented in a single inte- 35 might be accessible on each of these decoders. A single 

grated circuit. An application specific integrated circuit is encoder might then be configured to access all the decoders, 

the preferred implementation in order to make reverse using different parameter sets, and be able to combine 

engineering as difficult as possible. Reverse engineering different function requests with each of the parameter sets, 

poses a security risk insecurity systems, as full access to The serial number 62 is unique to a particular virtual 

algorithms and stored information is provided by this pro- 40 encoder, and is encoded with each emission from that 

cess * particular virtual encoder. The encoding or user key 64 is a 

The encoder 10 includes a means 14 (button encoder) for number, unique to a specific virtual encoder, that is used to 

encoding information regarding the buttons 48 which are encode the transmission in such a way that the original 

pressed and outputs encoded information 52 which is used encoded information cannot be retrieved by an outsider. The 

for controlling the operation of the encoder using the con- 45 management code 68 consists of information about the 

troller 49 as well as other parts, and which may be encoded status of the particular virtual encoder, and may include 

as a "function request" to determine the functions to be sections with predefined values for checking the integrity of 

activated by the decoder 12. The controlling functions decoding operations in the decoder. The counter and error 

include selecting the mode of operation of the serial code correction information 66 is the count of a 16 bit counter, 

generator 26, and selecting the virtual encoder to be emu- 50 used for keeping track of the synchronization between the 

lated. (The meaning of the phrase "virtual encoder" will encoder and the decoder and error corrected if a spurious 

become apparent from the following description.) A function error occurs during a storage operation. The counter is 

request can activate one of several outputs on the decoder. altered each time the virtual encoder is operated. The key 

A typical application would be in a vehicle security system, generation seed 60 is a number which, as has been noted 

where different decoder outputs could be used to disarm an 55 with reference to FIG. 1, bears a specific relationship to the 

immobilizer, arm an alarm, disarm the alarm and operate encoding key 64. While the key is read protected, the seed 

electric windows of the vehicle. 60 is not necessarily inaccessible. However, the relationship 

As an example of button encoder 14, if an amount of between the two is sufficiently obscure that an outsider will 

buttons b are used to activate the encoder, the button not ^ e aD * e to i^er the key from the value of the seed, 

encoding function encodes the value b to distinguishable 60 The non-volatile memory 54 is read-protected to prevent 

values that are passed to the internal circuitry of the encoder. scrutiny of the encoding keys 64 from outside. Access to the 

Pressing two buttons at the same time can for instance keys, or to the serial number 62, the seed 60 and the 

initiate the generation by the button encoder 15 of a distin- manufacturer's master key in the storage 40, could enable an 

guishable value that activates the encoder to transfer encoder outsider to program a similar encoder with an identical key 

related information. If any one of the same tow buttons are 65 and gain access to the system. 

used separately, a totally different value is generated by the The encoder includes a non-linear encoder 18 which uses 

button encoding 14, resulting in the selection and transfer of a user key 64 to encode an input string. The key length 
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should be sufficient to ensure reasonable immunity against 
analytical attacks, considering the state of the art in com- 
puter technology. A key length of 64 bits is considered 
adequate for security and access control systems. The use of 
longer keys has adverse cost implications, while shorter 5 
keys provide reduced security levels. The length of the 
output string 70 of the non-linear encoding algorithm deter- 
mines the number of bits encoded by the encoder. A 32 bit 
output string provides a good balance between security and 
response time at typical remote control transmission rates. 10 
The input string to the encoding algorithm is 32 bits and 
contains function information 52 from the button encoder 14 
(4 bits), the counter information 66 (16 bits) and the man- 
agement code 68 (12 bits), specific to the encoder being 
activated. The management code can contain system status is 
information, including low battery voltage indicators and 
mode selections. 

A serial code generator 26 is used to assemble the code to 
be emitted. The code consists of either a combination of the 
32 bit encoded string 70 produced by the nonlinear encoder 20 
18 and the serial number 62 of the encoder, or of a fixed key 
generation seed 60 and the serial number 62. The code 
generator 26 also implements the modulation scheme 
required for transmission by the data transfer interface U 
which in this case is pulse width modulation (PWM). 25 

The output 72 of the serial code generator 26 is emitted by 
the interface 11 using electromagnetic or other means. The 
data transfer interface 28 can be replaced by a direct 
connection in the case where remote operation is not 
required. 30 

The encoder includes a status monitor 74 which can alter 
parts, for example status information, of the management 
code 68 in a particular memory block, depending on selected 
options and conditions existing in the encoder. These 
changes can be detected in the decoder to provide feedback 35 
on imminent encoder problems, for example a flat battery. 
The status aspects which are monitored are selected via a 
unit 76. 

The options 76 are programmed in the encoder in non- 4Q 
volatile memory to select different encoder status by status 
monitor 74. A specific predetermined option may indicate 
for instance battery low voltage. The sam value is pro- 
grammed in the decoder to sense the battery voltage low 
indication in a transmission for indication to the user. The 45 
programmed options 76 are activated, and therefore the 
selected status monitor 74, when an encoder is activated. 
The predetermined value is substituted in part of the man- 
agement code 68 before encoding and transferring the 
information. The options, when selected and transferred, are 5Q 
sensed by the decoder after decoding so that the pro- 
grammed action can be taken. 

FIG. 3 depicts an implementation of a learning code 
hopping access control decoder 12. 

A data transfer interface 13 converts the electromagnetic 55 
or other signals used for transmission of the signal from the 
data transfer interface 11 into a baseband logic signal 78 still 
modulated according to the modulation scheme imple- 
mented by the serial code generator 26. 

The decoder includes a detector 32 which has means for <so 
compensating for differences in transmission length due to 
timing differences between the encoder and the decoder. 

The detector 32 extracts a 32 bit variable number 80 from 
the signal 78 and applies it to a decoding algorithm 34 which 
decodes the variable number, using a 64 bit decoder key 82 65 
stored in a non-volatile memory 84. If a valid decoding 
process has taken place the resultant 32 bit code 86 contains 
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the information inserted into the nonlinear encoding algo- 
rithm of encoder 18 in the encoder 10 before encoding. 

The decoder includes an integrity checking unit 35 to 
verify the validity of the decoding process. For a valid 
decoding there is a predetermined relationship between a 
stored management code 90, which corresponds to that held 
in the storage 43 of FIG. 1, and the corresponding portion of 
the decoded 32 bit word 86. 

The decoder key 82 corresponds to the decoder key held 
in the storage location 44 of the decoder 12 of FIG. 1. 

A synchronization checking unit 36 verifies the validity of 
a transmission by comparing incoming counter information 
92, produced by the integrity checking unit 35, with stored 
counter information 94 for the relevant encoder. The counter 
information 94 corresponds to the information held in the 
storage location 46 of the decoder 12 of FIG. 1 and includes 
an error correction function to ensure that the value of the 
counter is corrected when a spurious error is stored during 
a power failure. 

An output management unit 38 manages the activation of 
or communication with other devices in the system. The unit 
38 provides an indication of which of several functions is or 
are desired, whether the encoder 10 has ceased encoding and 
whether any special options are being requested. An indi- 
cation of the identity of the encoder, from which the received 
signal originated, may also be made available. The unit 38 
also makes use of storage space in the non-volatile memory 
84 to manage options, determined by an option control unit 
96, which may influence the format in which output signals 
98, which are produced by the unit, are presented, or may 
enable or disable specific system features. 

A learning control unit 100 manages the learning process 
by passing appropriate instructions to the detector 32, the 
decoding algorithm of decoder 34, the integrity checking 
unit 35, the synchronization checking unit 36 and a key 
address management unit 102. The unit 100 can be placed 
into the learning mode from outside the decoder, or special 
output combinations can be used to place the decoder in the 
learning mode, by passing the relevant signal from the 
management control unit 38 to the learning control unit 100. 
Most preferred, is a system wherein the decoder is set into 
the learning mode by a learning mode activation means, e.g., 
a switch or circuit, which is physically remote from or 
detached from the decoder. Preferably, the learning mode 
activation means is physically remote or detached from the 
encoder also. Typically a single memory block is reserved 
for this purpose. The decoder, including the learning control 
100, is controlled by a controller 31. 

A parameter set 56 of a designated encoder, referred to as 
a master encoder, is stored in this reserved memory block. 
When the master encoder is activated the output function 
control unit 38 sends a control signal to the unit 100 thereby 
placing the decoder 12 in the learning mode. 

The non-volatile memory 84 makes provision for the 
storage of a plurality of parameter sets 102A. . . 102N which 
correspond to the parameter sets 56A . . . 56N in the encoder. 
Each parameter set includes a serial number 104 which 
corresponds to the serial number 62 of the corresponding 
encoder, and the associated decoder key 82, management 
code 90 and counter information 94. A manufacturer's 
master key 106, corresponding to the information held in the 
storage location 40 of FIG. 1, is also stored in the memory 
84 for use during learning operations. 

The key address management unit 102 manages the 
passage of information to and from the non-volatile memory 
84. The key address management unit can be implemented 
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in hardware or in software or in a combination thereof. This code generator 26 appends the relevant encoder's serial 

unit selects the memory bank to be used with each memory number 62 to the encoded part thereby forming a single 

bank being capable of storing a single parameter set. A output code 72 which is presented to the input of the data 

pointer is also maintained in a memory segment 108 indi- transfer interface U in PWM serial form (in this example), 

eating the next memory bank to be used for learning 5 For fixcd codc operation the key generation seed 60 is 

operations. presented directly to the serial code generator 26 which 

During learning operations a key generation unit 42 presents the code, together with the serial number 62, in 
generates a decoding key 82 for the new encoder and PWM serial form to the data transfer interface 11. 
transfers it to the relevant memory location for the respec- In botn modes of operation the data transfer interface 11 
live parameter set 102. A non-linear encoded algorithm of a 10 transmits the information from the serial code generator 
similar level of complexity to the code hopping algorithm is us i ng electromagnetic or other means, 
used to ensure that the relationship between the key gen- 
eration seed and the encoding or decoding key 82 is as Operational Description— Decoder Normal 
obscure as possible. Operation 

FIG. 5 contains a representation of an encoder parameter 15 «. , * . * 

set 56 and a decoder parameter set 102 and includes a Slgna1 ^ rccc L IVcd by ^ data transfcr mtcrface 13 arc 

summary of the contents of each parameter set. converted to the logic signal 78, still in PWM form. The 

tormat detector 32 monitors the logic signal 78 and when the 

Operational Description of the Encoder initial portion of an apparently valid signal is observed the 

I,. in , . • j . i 20 detector calibrates itself on the incoming signal to compen- 

When the user presses a button 48 to activate the encoder c ,, 0 frtr j a „: 0 *-~« f _ • i * • • t£ • j r 

in tu» u„ ttnn « 't i a a * • w u u >. sate tor deviations from nominal timing. The remainder of 

10, the button encoding unit 14 determines which button or tho ,„^ rvi :„„ c n „ i • • A , , t , 

„ K - fu « u u jj ... the incoming signal is received and converted to a number 

combination of buttons has been pressed and generates the w u;-u ; n *u? c aa u-* u- u 

a wu a a * tu t Z i.- r i whicn, in this example, is a 64 bit binary number. 

4 bit function code 52 together with a combination of control . 

signals. The control signals determine from which memory ^ first 32 blts of ^ detector 0Ut Put, i.e., the hopping 

block the relevant parameter set will be taken and whether 25 code ' are desi S nated 80 and a represented to the decoding 

the transmission should consist of a hopping code or a fixed a lg°rithm of decoder 34. The last 32 bits, i.e. the serial 

code number, are presented to the key address management unit 

Hie buttons 48 may be replaced by a system that can 102 ' ™* dclermincs th ^ mcmor V Wocfc : to be used by 

command the encoder electrically. The command can be 30 "T™?^ Tf . t ■ f "^^T th f. St0r f d Ser , ial 

generated, for instance, by a computer or other equipment, 3 ° 3^0^ 

using a special command interface. The power of the ™ Z r * t T ' a^T ^ 

encoder may also be suppl^by.the.command.interface. ^aI^^I^ * ' £^ , ^ ?° * 

1 ^^ t ~^^ v ^^s^m^.^m^^^^ L . 80. A32 bit output 86 is presented to the integrity checking 

I n ;anoth§3lpp lica UonUheteneoQ e rlandtde^coaeficombin a - ic tu*„ m w* * • * ^ . r 

. i'J«HMv£am unit 35. This 32 bit siring composes the original 4 bit 

allMpl^P^ 35 function code 52, 16 bits of counter information 66 and the 

P™ Q f^ 12 bit management code 68. The integrity checking unit 35 

^^m^^^^^^^^^^ instance^ checks for a predetermined relationship between the 

.ae'security W <0%* ^mmunication;takes place on an decoded management code 68, in the decoded word 86 and 

electrical interface. .In this case bidirectional communication thc stored vcrskm 90 , f a defincd rclationshi exists thc 

is used to communicate information between an encoder and 40 decoding is held to have been valid, 

a decoder. The serial number 62 of the encoder is transferred ™ , , , ^ . 

to the decoder to establish the key 82 to be used in the ^ d ^ ded C0Unt L er 66 15 cora P ared Wlth the stored 

decoding process. A value is presented as an input value to C0Ur ? er 94 held 10 thc /espective parameter set. If the 

the encoder by the decoder, known as a challenge. The s y nch ™ D f atl ° n P"™* that the transmission is valid the 

encoder encodes the challenge value and returns the encoded 45 St0red Value , 94 l j upda ' ed *° d the 0Ut P ut CODtro1 ^ nc ^ on 

value to the decoder. The decoder now decodes the encoded Umt 38 lS advised accordin g lv - 

value and compares it with the challenge value to establish ^ unit 38 outputs the decoded function information 98. 

the authenticity of the encoder and activate an output The unit may make the information available in serial format 

accordingly. This technique is generally known as IFF' for use by an external controller or may have discrete 

(identification friend or foe). In this application, the seed 60 50 out P u > ts to indicate any of a number of different conditions, 

of the encoder can be transferred to a decoder in learning identity of the encoder being decoded that can be 

mode. The key 82 can be generated and stored in the decoder included as part of the management code, a valid signal 

as described in this description. indicator, and a second function mode, are all examples of 

The ability to employ more than one parameter set for an useftl1 om P ut informati °n 98. 

encoder enables the encoder to address more than one 55 ru. 1 n • j T 

decoder without interference, even if a single operating Operational Description-Decoder Learning 

frequency is shared. The encoder appears to be a chosen one Operation 

of several independent encoders, each of which is capable of Learning operation takes place when the user wishes to 

independent operation, hence the phrase "virtual encoder." add a new encoder to the system. The learning control unit 

Clearly the encoders are not capable of simultaneous opera- 60 100 then receives an input signal prompting it to enter thc 

don. For hopping code operation the non-linear encoding learning mode, for example, by activating switch 110. 

algorithm of encoder 18 uses the respective encoding key 64 Preferably, as stated above, switch 110 is physically 

to encode the counter information 66 and the management detached or remote from the decoder and the encoder. The 

code 68 together with the 4 bit function code 52. The 32 bit signal may be in the form of an instruction from outside, 

output code 70 is presented to the serial code generator 26. 65 e.g., generated by a switch or may emanate from the output 

The counter information 66 is altered each time a transmis- function control unit 48 after reception of a valid code, as 

sion takes place for the respective virtual encoder. The serial has been described hereinbefore. 
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The user now activates the encoder 10 as a fixed code generation seed and the manufacturer's master key 106. The 

encoder using a specific learning hardware configuration. advantage is that less non-volatile storage space is required 

The key generation seed 60 is substituted for the variable as the key generation seed typically requires less storage 

code portion of the transmission and the serial number 62 is space than the key. The correct key is generated in RAM 

retained as the remainder of the encoded code. 5 whenever needed. 

The resultant signal, emitted by the data transfer interface Learning Algorithm 

11, is received by the data transfer interface 13. The format -™ c A , A * a * 

detector 32 passes the entire received transmission 78 to the ™ G ?f a . ai ? * « ° f ' he algonthm 

key address management unit 102. Thus the signal presented f mbodied m . <! e \ m Ta g a ™L i"' ', he 

to the unit 102 is a 64 bit string. The unit 102 deviates from io "T S m c ff bhsh 1 e e d n f d f* lbe u d Piously, 

its normal functioning in the learning mode and generates an be ^ f * nerab0D S * ed . ft "°> a ? hopping code 

decoding key 82 from the serial number, the key generation < S a f " 2 > are , re ? iv „ ed ^ the decoder ; " a . sta 8 e } 54 ? 

seed and the manufacturer's master key 106. This key is "'f^ count %( ln ^generation unit 42) » miUahzed, 

<■ *u it l j j * \. and set to zero. The relational counter is used to allow for 

written into one of the memory blocks depending on the , , . . ; 

t p . , j n r .u- 6 1t more than one relationship between the key generation seed, 

value of a pointer used specifically for this purpose and held 15 ^ » , u^u, 

in the memory block 108 The received serial number 104 is ' h < enood ? xnil ? umber 80(1 m ' * r QCoder > ° r 

stored in the relevant memory block associated with the 11,6 encoder senal number and "» k <* for ,he 

respective parameter set. The next learning pointer can be ™ , • 1 

managed according to a variety of different schemes. nc «^onal counter 154 is used at a stage 156 to 

Options include, inter alia, cycling the pointer through the 20 compose a modified seed for the key generation algorithm 

available memory locations and allowing the user to set the wmc , h 15 a non-hnear algorithm using at least the manufac- 

pointer from outside. turer s master kev 106 and the kev generation seed as an 

c . , c . , «• i . iL input After the key is generated (stage 158), the manage- 

From a secunty point of view a key generation algorithm, * nt „ u a *a a a \ a / / ™ 

f tu i - a - a ♦ u ,u a<% u u i t_ mcnt caQ DC decoded and stored (stage 162). The 

of the land earned out by the unit 42 should only be decodj ^ . { Js checke / at g > M , 0 

implemented m an application specific integrated circui as * decidc tf ^ d6cod; fa yaUd * 

a generic logic device, such as a micro processor, is readily rtrA( , J1A , £ , t „ „ tnna nn tf • . r j ■ < \ , 

° ■ , , . , .fi ' t ,/ proceeds to stage 170. If it is not valid, it is decided if the 

reverse engineered, leaving the algonthm open to public . ,j ir.t 

t - & » & & ^ operation should carry on or not at stage 166. If the operation 

" should carry on, the relational counter 154 is incremented 

The user now activates the encoder twice in the code (stage 168) to establish a new relationship that may be valid. 

hopping mode. During the first transmission the 64 bit code ti^ , . . , 4 -* • /• „ 

j u *u j * * c • * r 1 1 * j t_ I ne learning process terminates at a stage 172 if all valid 

is received by the data tansfer interface 13 and detected by relationshi 5etween the k eration ^ ed and the serfal 

toe detector 32^ He decoding algonthm of decoder 34 number hav6 ^ uscd and a yalid relationsh; (st lfi6) 

decodes the 32 bit van able code 80 using the newly gener- has not been f ounc j 

ated decoder key 82 and stores the decoded management ™ . .... ' . „ . . 

code 90 in the correct location. The decoded counter infor- 35 ^ P"*?^ of accidentally accepting an invalid 

mation 94 is also stored in the correct location. encoder during learning is related to the number of pre- 

- . , . . . , . . denned bits within the encoded management code. Since not 

, , DU ,™ g K th ,? S ™ , ^ Sml f .u n , rCCel l S ' gnal ^ more 12 bits are available in the implementation under 

detected by the detector 32 and the senal number is passed dis^ion , he bes, inlegrily „ ^ order of x m 4000 ^ 

to the key address management unit 102 where ,t is com- 4 „ level ^ f ded as inade at6 for sccurit s tems ^ 

pared with the newly stored senal number 104 In addition inte rit can be jm ed ei(her b iaaeas ^ ^ fc h f 

the 32 bit variable code 80 is decoded by the decoding mc ^ cnt of the 4 nageraen T ^de or by 

algonthm 34. Tne integrity checking unit 35 checks the ^p^e^g a checkin al ithm based on a 3^ 

decoded management code against the stored version 90 and transmission (stag6 176 in FIG . 4b) &om „„. cncodt;r bei 

the synchronization checking unit 36 checks the decoded 45 learned . ^ code le ths hav ' e disadvant such * 

counter information against me stored version 94. If any of nigner implementalion cost and longer resp ^ nse times 

these checks is unsuccesstul the learning operation is Usi a 

transmission increases the certainty of the 

rejected. II they are al successful the next learning pointer int rit cheddn b Qrdere of m4gpitudc 

in the storage location 108 is altered to mdicate that the next ^ ciin the tem mA 0 / me re ^ 

memory block is available for learning, „ T . , . c iL a r , . 

„ , , • , ^ 50 The sec °nd part of the flow chart implements this 

The learning process may also include a routine to learn techll i que( „ described with reference to FIG. 4b. If the 

a specific combination of outputs for use with a specific decoding function is performed and found valid (stage 170), 

encoder. For example, a specific user may require special a decoded value ^ s(ored (st m) ^ * ^ 

priority in a specific system and this priority can be assigned a hopping ^ k receivedt Th is ^ ^ decoded 

dunng such a routine. 55 (stage 178) aad the decoded minagemen t code verified 

Once the entire learning operation has been successfully (stage 180) with the stored management code. If the values 

concluded the user should activate the encoder once more to do not match the learning process is accepted as invalid and 

verify that the encoder is operating correctly. aborted. Next, the counter value is verified at stage 182 with 

AU „ XM t the stored counter value. If the values do not match, the 

Encoder Operat.on-MernaUve Key Management „ , ransmission fa accepted as an mvalid and ^ 

0 eme operation, and aborted. If the counter values match, a valid 

The system as it has been described makes use of stored learn operation accepted (stage 184). If the counters to not 

keys 82 in the decoder to decode incoming transmission. An match, as with normal code hopping system operations, 

alternative arrangement for learning systems is to store only some leeway may be allowed in the counter synchronization 

the key generation seed, instead of the full key, in the 65 checking (stage 182) to allow for interim transmissions that 

location allocated for the key 82. During decoding opera- may not have been decoded by the decoder, and can be 

tions the correct key is generated from the associated key accepted as if they match and accepted as valid. 
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At stage 184 it is assumed that a valid learning process has 
been completed. The next learning pointer (reference 108 in 
FIG. 3) is updated at stage 186 to point to the next available 
learning position. Output configuration learning associated 
with a particular encoder can be included at stage 188 if 
required. At stage 190 the learning cycle is completed. 

Obviously, numerous modifications and variations of the 
present invention are possible in light of the above teach- 
ings. For example, the encoder part 10 is implemented on an 
application specific integrated circuit (ASIC). Part of the 
circuit is made up of non- volatile memory that is used to 
store the different changing and programmable values, such 
as the parameter sets 56 and options 76. Although this 
method of implementation is used to ensure the security and 
practical aspects of the system, it can be implemented in 
software in a computer or a microprocessor controller. The 
same approach is used with the decoder 12. The functions 
and memory parts are implemented on an ASIC, but can also 
be implemented on a computer or microprocessor controller. 
This implementation may be preferable at the decoder, as the 20 
decoder may be required to store a large amount of infor- 
mation to allow many users to access the system. It is 
therefore understood that within the scope of the appended 
claims, the invention may be practiced otherwise than as 
specifically described herein. 

I claim: 

1. A method of operating a decoder which includes the 
steps of: 

storing first information and a key generation routine; 
setting the decoder into a learning mode by activating a 

decoder learning mode activation means physically 

remote or detached from the decoder; 
receiving second information from an encoder; and 
calculating a key using the second information, which has 35 

been received, the first information, which has been 

stored during manufacturing, and the key generation 

routine. 

2. An access control system comprising: 

an encoder; 4 o 
a decoder; 

wherein the encoder comprises: a memory that stores a 
key during manufacturing, the key being generated 
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using first information, second information, and a key 
generation routine; and a memory that stores the second 
information; 

wherein the decoder comprises: a memory that stores a 
key generation routine and the first information during 
manufacturing; 
a leaning mode activation circuit adaptable for setting the 
decoder into a learning mode, comprising: 
a circuit to activate the encoder to transmit the second 

information to the decoder during learning; 
a circuit to activate the decoder to receive the second 

information during learning; and 
a circuit to calculate, during learning, a key in the 
decoder using the second information, which has 
been received, the first information, which has been 
stored during manufacturing, and the key generation 
routine; and 

wherein the learning mode activation circuit is physically 
remote from the encoder and the decoder. 

3. A method of operating an access control system, 
comprising the steps of: 

storing a key in an encoder during manufacturing, the key 
being generated using first information, second 
information, and a key generation routine; 

storing the second information in the encoder; 

storing a key generation routine and the first information 
in a decoder during manufacturing; 

activating a learning mode activation circuit, wherein the 
learning mode activation circuit is physically remote 
from the encoder and the decoder; 

transmitting the second information from the encoder to 
the decoder in response to the learning mode activation 
circuit being activated; 

receiving the second information by the decoder; and 

calculating a key in the decoder using the second 
information, which has been received, the first 
information, which has been stored during 
manufacturing, and the key generation routine. 
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